Most online services have built-in security systems that alert employees when the systems detect “unusual” activity on their accounts.

For example, legitimate email services or similar will send notifications about attempts to reset the phone number and e-mail address linked to the account, or the password.

Of course, as soon as such messages became commonplace, enterprising cybercriminals tried to imitate this mechanism to attack corporate users.

As cyberattacks rely on the human factor more often each year, and as cybersecurity technologies progress, such tricks are becoming more and more common and are being registered in multiple mailouts around the world.

The scenario is usually as follows: if it’s a public online service attacker it will usually make every effort to create exact copies of a real message. However, if attackers are hunting for access to an internal system, they often have to use their imagination as they might not know how the email should appear.

Everything about this message looks ridiculous, from the incorrect language to the rather dubious logic — it seems to be at once about linking a new phone number and about sending a password reset code. Nor does the “support” e-mail address lend credibility to the message: there is no plausible reason why a support mailbox should be located on a foreign domain (let alone a Chinese one, for example).

The attackers are hoping that their victim, fearing for the security of their account, will click the red “DON’T SEND CODE” button. Once done, they’re redirected to a website mimicking the account login page, which, as you’d imagine, just steals their password. The hijacked mail account can then be used for BEC-type attacks or as a source of information for further attacks using social engineering.

“Spam and phishing attacks are probably the most underappreciated type of cyberthreats. Even the most responsible employees can be tricked into clicking on them, everyone tends to lose their focus in the hustle of a working day,” says Maria Garnaeva, a cybersecurity expert at Kaspersky.

The good news is modern cybersecurity solutions are often equipped with proper despams filters, and most employees’ training in cybersecurity hygiene is successful at preventing such incidents from occurring,” she says.

What to explain to company employees:

To minimise the chances of cybercriminals getting their hands on employees’ credentials, communicate the following to them:

  • Never click on links in automatic security notifications, whether real-looking or not.
  • On receiving a notification, check the security settings and linked details, do so by opening the website in the browser manually.
  • A clumsily worded notification (as in the example) is best ignored and deleted.
  •  If the notification looks real, notify the IS service or security officer; it may be a sign of a targeted attack.

Edited by Zintle Nkohla

Follow Zintle Nkohla on Twitter

Follow IT News Africa on Twitter

Sign Up for Our Newsletters

Get notified of the best deals on our WordPress themes.

You May Also Like

UBA & Cellulant Join Forces to Unite Africa’s Payments Ecosystem

Nigeria’s United Bank for Africa (UBA), and Cellulant, a leading Pan-African payments company, have announced a partnership that will extend payment services for merchants and consumers across 19 key African…
View Post

Vodacom & Accenture Join Forces for Bespoke Cybersecurity

South African telco Vodacom and Ireland-based IT services company Accenture have partnered to launch Vodacom Managed Security services through Vodacom Business. The partnership was publically announced yesterday via press release.…
View Post

South Africa’s Dis-Chem Takes a Swing at WhatsApp Commerce

Clickatell, a CPaaS innovator and Chat Commerce leader, has been selected by leading South African retailer, Dis-Chem Pharmacies, to enable WhatsApp as its customer communication channel to engage with its…
View Post

TymeBank Launches Medical Insurance App for South Africans

TymeBank, the South Africa-based exclusively digital retail bank, has announced a new partnership with National HealthCare for affordable medical insurance to consumers, through the launch of TymeHealth, an app-based offering…
View Post

Nokia Kenya Dodges a $260,000 Fine in Service Centre Contract Feud

A Kenyan court has reportedly rejected a petition filed by Kenyan dealer TechnoService which is seeking Sh150-million ($257,832.60) from cellphone manufacturer Nokia for allegedly selling some of its businesses to…
View Post

Standard Bank Boosts its Shari’ah Banking with AWS Technology

On Thursday, Standard Bank South Africa, which offers a range of Shari’ah-compliant banking solutions, announced the introduction of a dedicated call centre line for its Shari’ah banking customers. Asma Latiff,…
View Post